I thought I’d ask now before trying to use cookies or sessions with my website.
I need to pass variables from one page to the next. There are about 4 pages, and with each page additional variables need to be passed to the pages that follow. Is it better to use sessions or have a “kilometre-long” query string appended to the URL? I’m not sure how long a query string can be before problems arise. The only reason I wouldn’t want to use sessions is because some visitors might be put off by having to enable cookies in order to browse the website.
And what about SEO? Does it make a difference if I’m using cookies(sessions) or a query string? My website is also responsive. Do sessions work on mobile devices or isn’t this a factor? And lastly, how can I ensure that cookies are enabled before someone submits a form to go to another page? I need to display what the visitor selected on the previous page, but with cookies disabled, this won’t work.
Sorry for all of the questions, but hopefully someone can advise me on this.
If you have four pages with forms, then you can also use the “POST” method, and add the values from the previous forms as hidden fields to the form on the current page. That way you don’t use sessions and cookies, and you don’t get a long query string either,
If you have four pages with forms, then you can also use the “POST” method, and add the values from the previous forms as hidden fields to the form on the current page. That way you don’t use sessions and cookies, and you don’t get a long query string either,
But this would only be possible if I don’t validate the form inputs before submitting the form? Once I do any validation, then I’d have to use the header function and append values to the URL, or assign the “validated” values to session variables. Or am I wrong?
Why? What difference is there between adding the validated values to a query string, or putting them in hidden form fields?
Edit: by the way, at the end you’ll have to redo the validation of all values again, because you can’t be sure that the values you validated in the first three forms haven’t been changed by the user along the way.
You need to change the logic of your scripts so that they don’t use http redirects. For example, create a function to display your form and instead of redirecting the browser to another URL in case of an error call the display function:
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$errors = array();
if (empty($_POST['name'])) {
$errors['n'] = 'Please enter your name.';
}
if ($errors) {
// display the form again without redirecting the browser
display_form($_POST, $errors);
} else {
// form accepted, continue with whatever you need,
// for example save data to db and/or display another page
$n = filter_var($_POST['name'], FILTER_SANITIZE_STRING);
save_data($n);
display_next_form($_POST);
// etc...
}
} else {
// nothing submitted, because we have no data to pass we can safely redirect
// the browser to the form so that the user can fill it in again.
// If we have a series of form pages we need to redirect to the first one.
header("location: form.php");
}
You would use the display_form() function both when displaying your form first and in your script that accepts the form submission in case of an error. This is just an example, instead of a function you could also use an include or call a method of a class.
and instead of redirecting the browser to another URL in case of an error call the display function:
I’m not quite sure I understand. If there are errors, I’m redirected back to the same page hence action=“”. It is only the validated values that need to be sent to the next page.
But I was just saying you have to get rid of the redirect! The word redirect may have many meanings so let me make it clearer:
You get rid of the http redirects (“Location: url”) so that the browser’s URL doesn’t change in case of an error. This is essential because without the redirect you have only one php script that does both of these things: display the next form or display the same form (in case of an error). In both cases this script accepts form data from $_POST so you have all the data you need to pass either to the next form or to the current form (for correction). In this way you don’t need sessions or long URL’s because all data is passed via POST form submissions.
For the user’s eyes the “redirect” still occurs because he is “redirected” to the same form on error, except that technically the URL doesn’t change. What is happening is that the same php script that has accepted the form data is displaying the form.
And in a typical scenario your form action wouldn’t be empty. Let’s say you have form A that is displayed by formA.php and form B that is displayed by formB.php -
If the user first goes to form A it will be available at formA.php URL. But when he submits the form the URL will change to formB.php. Now when at formB.php he will either see form B or, in case of an error, form A. In my previous post the sample script would be formB.php.
But the choice is not only between long query strings and cookies. You have omitted still another possibility to use sessions without cookies! For your 4-step long form you can use sessions and pass the session ID via URL, so the query string will be pretty short and you can store all the form data server side. Form data of a particular user would be identified by the session ID that would be assigned on submitting the first post and then passed on via URL to the other forms.
So to summarize you have two options:
Passing all data via POST without sessions - what I described in my previous post.
Use sessions without cookies and pass session ID via URL.
It’s hard to tell which one is better - the first one seems easier to implement (once you understand the mechanism) because you don’t need to manage sessions. But this method can be problematic if you want to pass large amounts of data, for example if you have file uploads on the first form all of this data would need to be resend with each form.
With the second method if the user quits the browser before completing all form series, they may get back to the form by going to the form URL from the browsing history, which is not possible with method 1. This may or may not be desirable depending on the application as this may lead to privacy problems. You would certainly need to manage session timeouts and if going back through browsing history should not be possible then you can use method 2 but pass session ID via POST.
thank you very much for explaining all of this to me. If I have the time I’ll try out both of these methods to see which one is easiest for me to manage. I appreciate your taking the time to assist me.